Pages: 1 2 [3]
Author Topic: Simos18 SBOOT Research and Progress  (Read 32807 times)
gt-innovation
Sr. Member
****

Karma: +60/-89
Offline Offline

Posts: 442


« Reply #30 on: February 08, 2022, 07:13:09 AM »

HI chaps

Is there an easy way to read (and clone) a Simos18.1 on the bench?
What tools are recommended?

I have PCM Flash but S18.1 is not on the supported list

THanks

Use the search button and read...

1. Don`t spoil threads/posts that have to do with technical stuff without even reading them.
2. Pcmflash will soon support most of the simos variants.
3. If you search and look a bit better you will find a free python solution to flash simos ecus made by "d3irb" and hosted on Github

Works on windows too...
Logged
fastboatster
Full Member
***

Karma: +2/-0
Online Online

Posts: 59


« Reply #31 on: July 26, 2022, 09:43:15 AM »

did something very similar for an older simos 8.5 and posting here:
https://github.com/fastboatster/TC1796_CAN_BSL
instructions are not quite complete yet
Logged
IamwhoIam
Hero Member
*****

Karma: +43/-99
Offline Offline

Posts: 1030


« Reply #32 on: July 28, 2022, 06:43:08 AM »

did something very similar for an older simos 8.5 and posting here:
https://github.com/fastboatster/TC1796_CAN_BSL
instructions are not quite complete yet

Very nice work! Congrats!
Logged

I have no logs because I have a boost gauge (makes things easier)
fastboatster
Full Member
***

Karma: +2/-0
Online Online

Posts: 59


« Reply #33 on: July 28, 2022, 05:58:17 PM »

Very nice work! Congrats!
Thanks, appreciate the kind words! Wouldn’t be able to do it if d3irb hadn’t described simos18 exploit, though
Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #34 on: November 10, 2022, 12:12:52 PM »

could you please share the file (bin or odx) you have been working on or at least the software id?
Maybe I was inattentive, but I did not find it on the forum.
Logged
d3irb
Full Member
***

Karma: +131/-1
Online Online

Posts: 185


« Reply #35 on: November 10, 2022, 12:40:09 PM »

In the VW_Flash writeups about CBOOT and patching, the addresses are all from 8V0906259H__0001.frf , for no reason other than this is the file that came on my car. This is SC8 project, E0 CBOOT, O20 ASW. This should be in the documentation somewhere.

In the Simos18_SBOOT write-ups about SBOOT, the addresses are all from a Simos 18.1 SBOOT/TSW. I think the TSW version identifier for this is REGEE5F401E1_TSW--v10. You need a full read to get SBOOT of course, since it isn't in the update container.
Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #36 on: November 11, 2022, 06:19:40 AM »

Thank you. You are right it was always there
https://github.com/bri3d/VW_Flash/blob/master/docs/cli.md
Logged
808AWD325xi
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


« Reply #37 on: February 21, 2024, 05:36:25 PM »

Thank you, d3irb and fastboatster !!

Your findings and knowledge sharing have really helped me to better understand the Siemen's MSD81 ECU (TC1796) in my BMW.

So far I can trigger a jump to SBOOT, but have not yet located the RSA private key needed to satisfy the $65 service response. Needless to say, I am way behind you guys.

I compared a SIMOS 8.5 bin with a MSD80 bin and noticed byte for byte SBOOT code reuse. That being said, it wouldn't surprise me if commercial exploits that upload code to RAM via SBOOT and dump PFLASH, etc. are reusable between platforms.
Logged
fastboatster
Full Member
***

Karma: +2/-0
Online Online

Posts: 59


« Reply #38 on: February 21, 2024, 11:38:23 PM »

Thank you, d3irb and fastboatster !!

Your findings and knowledge sharing have really helped me to better understand the Siemen's MSD81 ECU (TC1796) in my BMW.

So far I can trigger a jump to SBOOT, but have not yet located the RSA private key needed to satisfy the $65 service response. Needless to say, I am way behind you guys.

I compared a SIMOS 8.5 bin with a MSD80 bin and noticed byte for byte SBOOT code reuse. That being said, it wouldn't surprise me if commercial exploits that upload code to RAM via SBOOT and dump PFLASH, etc. are reusable between platforms.
You know, I was looking at IKMOS MSD81 firmware very recently, too, and noticed a lot of very similar things in general, not just in terms of boot firmware. I haven't looked for an RSA key yet, and haven't tried to put an MSD81/80 into SBOOT mode since I don't have any of these on hand - my guess is it just needs to have PWM voltage applied to some cam sensor or Vanos solenoid pins, right? I sort of put this on the back burner for now since I'm busy with my job search, and just don't feel like working on this DME right now and desoldering and retracing boot pins on PCB. I might get to it eventually, but by that time, I think you will figure it out already. I am just lazily looking at e9x MEVD17, but not spending too much time on that, either
Logged
808AWD325xi
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


« Reply #39 on: February 22, 2024, 12:36:53 AM »

You know, I was looking at IKMOS MSD81 firmware very recently, too, and noticed a lot of very similar things in general, not just in terms of boot firmware. I haven't looked for an RSA key yet, and haven't tried to put an MSD81/80 into SBOOT mode since I don't have any of these on hand - my guess is it just needs to have PWM voltage applied to some cam sensor or Vanos solenoid pins, right? I sort of put this on the back burner for now since I'm busy with my job search, and just don't feel like working on this DME right now and desoldering and retracing boot pins on PCB. I might get to it eventually, but by that time, I think you will figure it out already. I am just lazily looking at e9x MEVD17, but not spending too much time on that, either

I'm sorry to hear that. I wish you the best of luck! I gave up on my job search quite a while ago.

You can jump to SBOOT via CAN, no PWM required.

I compared a MSD80 dump to the SIMOS 8.5 SBOOT bin you posted in the thread below (example attached):
https://nefariousmotorsports.com/forum/index.php?topic=14906.msg153252#msg153252

I ordered a SIMOS 8.4 from eBay to check it out.
Logged
prj
Hero Member
*****

Karma: +903/-420
Offline Offline

Posts: 5787


« Reply #40 on: February 22, 2024, 01:12:55 AM »

For the Simos8.5/8.4/12/MSD81/MSD85/ etc SBOOT there is an exploit without having to jump into BSL mode to examine memory.
This was closed in the newer ECU's.

Since there is a ton of tools that can do it, it probably is easiest to just sniff an existing tool rather than reinvent the wheel.
Logged

PM's will not be answered, so don't even try.
Log your car properly.
808AWD325xi
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


« Reply #41 on: February 22, 2024, 12:21:55 PM »

I  came across this KWP2000 reset payload for SIMOS 18 in some ETAS ProF files... "52 73 74 4B". It might be the jump from ASW to SBOOT. The expected response is "44 6F 6E 65".
Logged
fastboatster
Full Member
***

Karma: +2/-0
Online Online

Posts: 59


« Reply #42 on: February 22, 2024, 12:32:34 PM »

For the Simos8.5/8.4/12/MSD81/MSD85/ etc SBOOT there is an exploit without having to jump into BSL mode to examine memory.
This was closed in the newer ECU's.

Since there is a ton of tools that can do it, it probably is easiest to just sniff an existing tool rather than reinvent the wheel.
well, at least for me, this was a moderately difficult but somewhat useful *exercise*. not too difficult as the general workflow had been described, but challenging enough for somebody who had never looked into any DME/ECU firmware before. It did provide something I could use as an alternative to some commercial tools. I have a general idea of what's going on with commercial exploit - i.e., likely, something like Nintendo 3ds bootloader hack. I'm not really inclined to spend more time on this as these are 2 very old and increasingly irrelevant ECU/DMEs, but if there's some low-hanging fruit and some free time then maybe why not - i.e., commercial tool sniff etc.
@808AWD325xi - there're no bootloader differences between the 8.5 and 8.4 aside from the RSA keys. When I was saying that msd is closer to 8.4, I meant to say that both have their eeproms on the external chips, while 8.5 stores it in the internal d flash.
Logged
Pages: 1 2 [3]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.023 seconds with 18 queries. (Pretty URLs adds 0s, 0q)